Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip

Overview

General Information

Sample URL:https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip
Analysis ID:1543672
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Downloads suspicious files via Chrome
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,8629211986149783283,5582461857598252456,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • unarchiver.exe (PID: 6092 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 5304 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • chrome.exe (PID: 6396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_base_open_source_copyright_license_information.pdf.md5.rtfJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_gplv3_open_source_copyright_license_information.pdf.md5.rtfJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior

System Summary

barindex
Downloads suspicious files via Chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip (copy)Jump to dropped file
Source: classification engineClassification label: sus22.win@22/28@0/9
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\88aafe29-d2bf-4362-aaf9-3d4001f95ec3.tmpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,8629211986149783283,5582461857598252456,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,8629211986149783283,5582461857598252456,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_base_open_source_copyright_license_information.pdf.md5.rtfJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_gplv3_open_source_copyright_license_information.pdf.md5.rtfJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 4C20000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6416Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 7_2_00F3B1D6 GetSystemInfo,7_2_00F3B1D6
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping31
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory3
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543672 URL: https://download.rsa.com/to... Startdate: 28/10/2024 Architecture: WINDOWS Score: 22 35 Downloads suspicious files via Chrome 2->35 8 chrome.exe 16 2->8         started        12 chrome.exe 2->12         started        process3 dnsIp4 31 192.168.2.4 unknown unknown 8->31 33 239.255.255.250 unknown Reserved 8->33 23 RSASecurIDSoftware...5.0.3x64.zip (copy), Zip 8->23 dropped 14 unarchiver.exe 4 8->14         started        16 chrome.exe 8->16         started        file5 process6 dnsIp7 19 7za.exe 25 14->19         started        25 142.250.185.100 GOOGLEUS United States 16->25 27 142.250.185.238 GOOGLEUS United States 16->27 29 5 other IPs or domains 16->29 process8 process9 21 conhost.exe 19->21         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
142.250.186.35
unknownUnited States
15169GOOGLEUSfalse
1.1.1.1
unknownAustralia
13335CLOUDFLARENETUSfalse
239.255.255.250
unknownReserved
unknownunknownfalse
108.138.26.32
unknownUnited States
16509AMAZON-02USfalse
142.250.185.100
unknownUnited States
15169GOOGLEUSfalse
142.250.185.238
unknownUnited States
15169GOOGLEUSfalse
172.217.16.195
unknownUnited States
15169GOOGLEUSfalse
66.102.1.84
unknownUnited States
15169GOOGLEUSfalse

Private

IP
192.168.2.4

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1543672
Start date and time:2024-10-28 08:35:55 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus22.win@22/28@0/9
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 44
  • Number of non-executed functions: 0

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping network analysis since amount of network traffic is too extensive
  • VT rate limit hit for: https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):3968
Entropy (8bit):5.347143801042939
Encrypted:false
SSDEEP:48:BpVvqIGMIGbMIGMIGpmIGyDIGMIGpiVIGbqIGnVIGcVIGFIGMIGHIGMIGJIGAIGl:f/All
MD5:B0A0A0B350334830ED2D4F395872C4DF
SHA1:28884BCE52D503243196D98032A25DD487F41265
SHA-256:A6FC40A61A70E0AA20CDCC15C73E202256BE727147A1816F5A81359478D84BEA
SHA-512:4EDDBE3555222647281E0A46066025E3634EB564EE048E784DDDAA9352743B3C48923112F2747E8D12345D2AF572FA0F0E6E10D07D9CC408736256E45AA126BC
Malicious:false
Reputation:low
Preview:10/28/2024 3:37 AM: Unpack: C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip..10/28/2024 3:37 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay..10/28/2024 3:37 AM: Received from standard out: ..10/28/2024 3:37 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..10/28/2024 3:37 AM: Received from standard out: ..10/28/2024 3:37 AM: Received from standard out: Scanning the drive for archives:..10/28/2024 3:37 AM: Received from standard out: 1 file, 148513035 bytes (142 MiB)..10/28/2024 3:37 AM: Received from standard out: ..10/28/2024 3:37 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip..10/28/2024 3:37 AM: Received from standard out: --..10/28/2024 3:37 AM: Received from standard out: Path = C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip..10/28/2024 3:37 AM: Received from standard out: Type = zip..10/28/2024 3:37 AM: Received from standar

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDPluginSDK503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):151801
Entropy (8bit):7.996339080334373
Encrypted:true
SSDEEP:3072:A3rMMFL5f0C7raRp/iaa32slyv4OokRwl3QIp3dODJjzcSXFYyVSdql:mM4LdRup/Q2ss4xRQy3WzcS1SAl
MD5:D98806F063559383A020F53AF7843039
SHA1:D68A91AF1B4CEF6877FDB918EE1F7A91BB4B8AFF
SHA-256:8A461ABC95C5B4B9ACB8AA3897E0FE825249FE6029F15B12AB270BB3DC1C986B
SHA-512:5648BFED38088F8D0FD660F35EB755BF903884E4880E4B09825189BF7C81159B84CABE59C745CC06A62EB07C30D5D5893CC711A9E65866C616A033D12B3CDE81
Malicious:false
Reputation:low
Preview:PK.........R................doc/PK.........d.R.k......N.......doc/readme.txt.V.n.7.|....A^....:.C.Tn..NaX..P.g......V....9$W.*J...a.23g.^.~...../.\_..........V........Gc.Q..z..........k..L..Qi.(.L.F6..8(C.w=..#.|..<...m............+.5.%}.,pq"A......"..)...7...C0;..t.".%..B..Z...9..`X.....H....k...t.d0.......H6.*.........tO.6..C.S5......;].,..or..S.....2C.H...{f.....j.9.....Mu.A..%........Z..f.j;...m.O..RP.0...O.......:%.7..%..'.)Keq..m..w.........$.0..\..@........c...$.2K.[V..(.I.D.q.....c..O....M`..uioN.....,..Ha..F.B..emL).?...X.4...>.m*.. ~...e;...UY#.F!..Qw<&.8....=a...q....bN.`.G./..p.Yd,..2."...i..)..Q.......)h.L...@s..Pc.2......N.(.QeT...ZE5.V..W.v3...q.3D.}Tr.b..*-0e<."S....+.{Q."...8JLa./L...a....J.dB.*%......m.../..+.)_Zs5...b..u.......bw9..8.K~c..il.....4....o..b."^.....E......T..;=...6...K6.(c.....Ul.v.........b..U.!]?..p....#.X..C.o|IQ....~$C.Y.e.......V....N.:y....}.g.......&...;e.T0....>.BA.@VDK9.g.nH.RX.y..^.p2y..xp.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDK503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):90105
Entropy (8bit):7.994220216305374
Encrypted:true
SSDEEP:1536:yBSmjlz8l1mXbjSlFyiaqBr3hsoc8Vm4yyQTygAHgVXzX2uYOHVE:y4mjhKlsiaqBDi/iyyQ+1AJj2uc
MD5:C9DFFFD3D2DF7DA0912EA699EA364711
SHA1:CD7680A7B1231673DF42F1115BA405817FD082FE
SHA-256:06C965863809BDA9630B909DDDF8ABE6AEEFDAE0228CC8AABF90ACECA69BCADB
SHA-512:A9392E13EEE42DDCFEB12FDD92A7293871E426908455829E5E3CCE9FB545F168933EFAB50531ACFE30304DAE6D241E24B04097B55FFA7307B5495686BF96C867
Malicious:false
Reputation:low
Preview:PK........s..R................doc/PK.........d.R...............doc/readme.txt.U]o.9.}...p...*Lh....)....i...uef.0.x...h..;.HH.....s.=..W..{..".K.../...7...+.r.q^E.,.....B..Zp`..b4..W...\.w.3..F.m.X1i....c..5.5..\...y...9...E...{J.j.j_P.|..2..X...e.o....D.vy.V.......CE.c.!(.}.:L.+.H....&..5..\....=.*.W.. .y......'"Ys.L.....G......t>...t...........1..p9....-.^D.F.."...s....?.?K.[.=...eK....lJ3.....l..t.....'~(Ah.2.b%.t.Yfq...E......*...V6x..g.A...{.......T.QH....~~..a__.{..K..n.I....u.7MF....._..O.G.F.#.....I.qY.n5..S.......D$A!.}...Y0.:...W.H...A....B;t....S.m..p..d.7...C^...$.. ....:..V....Pg.M.1.:.J6^.T.5..*gz.V._d.m..k.c26l.C..X.6.Te...H...i.p>.Nc.IU.7.w7LRP.3.f77.+.K...&....(.z...\....a.).+W#...U".....6..1U*t.o8!.Jc:w.J..?.(."f....."63.$'O....=5N.F.`.k......A(../1_cuF.j...^.h..........E....v3.1j...;)~..X...#...S...8...dh.d..Y=N....ST.pj...P5...,9.=d.Y<R.0i......r...... ..z>.:2Q.v.X....[.S.?.>Qw..!.r...W.P.~..ub...n...F.."K&.V'..y.!

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDK503.zip.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):168
Entropy (8bit):4.922673213339128
Encrypted:false
SSDEEP:3:Hr+1SGlQEO5UCMoVUmIhzOxxqDhZJsVRKOA8e1nQRSB3W5DzOsVRKOA+BmTXAGue:HrXEO5UCMoW/uahoRKv3nQRSZ+nfRKvT
MD5:A9CA4FDB11CFC94CE04C1CE4D7A45287
SHA1:48F2BB9A7BA55D09ED2C967AB8D0C9763CCE3FC6
SHA-256:97520412E7C00B59268983BE41839E4D2BD6D82EBADFE51007389A74DA31C320
SHA-512:D645E791F7D8A5BB4DA28B94CE67EE17F1CF473A7C6AE43C3D0512A4F20F7AB80EE7B078CC6A79AEF9DE447B62E861843A7B193060014ADB16CDDC166B8F9F9A
Malicious:false
Reputation:low
Preview:\c9dfffd3d2df7da0912ea699ea364711 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/dist/RSASecurIDSDK503.zip.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDKext503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):75444
Entropy (8bit):7.9954541705445825
Encrypted:true
SSDEEP:1536:RHrtpiH2l2wIut71Z2EoSGpUmXIMjyFbxgyqCgJLEzjGaG90N:RHJpVl2payZqmYMYbeyqCWLOGaGU
MD5:518094E7BB7C7F7784DC1B9093E923B2
SHA1:B56A8D934D66CA3149FB95D1D3FBBAD701040551
SHA-256:F435C810A1B68D308800A57D0762EB281DE579050601E83A73E6FA0AA23F0F15
SHA-512:339F16F5CBCECC9FA341E461B3DE04E1674E45E84B06583D27C4EA326BA623756D766237F7906323576F97B6ECDF1EFA7C9EFB5EE7ABB546F0DD7FE65FEB1E54
Malicious:false
Reputation:low
Preview:PK.........R................doc/PK.........d.R...q...........doc/readme.txt}T.n.@..#....Z)X.*..FI...)..R...(.]kw..o.... .F.`.~..g.j.m...a2...M._n..a.3.*.T".`8.Z.O2...#.-..`8X..!.<.T@..%E.B*..%..u...*..Cj....}.....E4.<......J.@.B"..<G..t"A9......T@r..*`..a.%.N..$.el1..!..;N.E'......].....+H.@I..yK....d'k,....2.....#.d..#.t...~Gn...{....s....F0w...#.\=,.]-...].s.O.D.r5}..'.0..T.........Y...S.z..4..P...j.(.9.4.E.+Q.[...q...6..S..w.o.....bj.(..nQz.....#..q?.,q..O..K&+..$V...=.e.X.UWs.....C.@.u1h1q..+...75]....@........!.....5.[,.9..u.Q..E>[I4Ns1..x.Y..Z_._.q5.}y.~.T.?D...r.K.u...J.s.e...W...,.\7.F..r.W...PV...}o...9..M...Jd.......\S...5h%....w..Y......?T.E.......PK.........R................include/PK.........d.Rm.r......_......include/stauto32ext.h.\ms.F..lW.?L.>.....:..9.*...[...M.6[*....8........;X.7.'...A.....y.{....3..36.5.......'...ntz......n....bo...7..i.+s..........7-.3.:...6..ih{n...2..l..,.8..q.......~...2`......kf:.w....@....w!w..

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTimePluginSDK503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):39715
Entropy (8bit):7.989708362331144
Encrypted:false
SSDEEP:768:dimyMB2EX6CB6Pg9uFDEtV9oRwx0Heq5ERycqKB3kYcx:diFMRD4gmEQNwHPcx
MD5:B7C4A9C541F1305D924BFB60DA5A841A
SHA1:81F93BD67FDFCC7CE0890A52A7DBDE2FD52D14E5
SHA-256:B6CD76FD5E94D1CECB85BF4798D9036E7E2EDD45C20F25A8A33A7B5D404DB916
SHA-512:240F7A9F8AE96569B04933CE7ED5421A3E5CE4C5210E45655749484481FC44A83CDD496FED392E193E1DC94F46D6BFC231580A9553789DF13420FBC512E8BA8C
Malicious:false
Reputation:low
Preview:PK.........R................doc/PK.........d.RR......H.......doc/readme.txt}.Kn.0....t..@.7@...5.(..A...&G..I.)..z..H.Q.@.......S>3...ox.n??<n?=...=....R..6...]...cA>.k..9x*PRW'..6.j(....b.......2r=C...O."..b,.&....8..J. ...e...U..D0...m.8O1RTo...K.gI1P]B.JE..)..i..x".,..M....ct.0y.....8....=.......a.....Q....P.W....&.=8b.X.<.=.,\....m......4......5..Z....4iM.r....|..H\......._0...#..m=....N&..:y..cD].....F.$.....}..G..3...P;A...A..V._.Ow3.....fn\......&.@........E..,.ty.r........PK.........R................include/PK.........d.R...j....#......include/rsatimeprovider.h.Z.O#G.......H..ls.I ,.1..Z..m&.-.U.......n3.d.o.....2....ww.;.w.k...b.3..9...?.dC9..^%....zq*......vwvw......+.\.r".f)V..~.....".T...G......twg...k6..L`o..,Q."M..g..X..XJB.$S`0I..`.2.bS..&b.C....%c......+..D,.Oe.dw.I(t...R..w.q....e/.QK./..Vzw..A/u*.x.....J..%.<..#.......)Ne.1....1....-.j.....9..)...@A?^.5.2..}.?.0..rl3.y...y....).N.e..=..!...xM.Rx.......sv...W..){....q..T

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDToken503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):60814788
Entropy (8bit):7.998954956762879
Encrypted:true
SSDEEP:1572864:9bh+csxADfSIrrs/CFTDV9TuID6e9OTTxky21Ig:91++fXr99TuTe9UTx+1Ig
MD5:0048BC24BEFDE0BB9118C43B194F411F
SHA1:82BE930104802A63952A31335E0D65C93A9B52B7
SHA-256:1B241FA0AA28189172D256E3954EB9EF5E7ABD2440124FCB473B6319EBA75F79
SHA-512:607875E775D5C39E4F58A85DE8596CB8261E330B363935AFE6AF6826FBC1096DE88FE46EAC6C15D5C588DDD9FFBBA4762FA98C1C79988F7D74D3C41699B35BA5
Malicious:false
Reputation:low
Preview:PK..........R................template/PK.........d.Ra.V.....g!......template/RSASecurIDToken.adm.X]o...}....)...p..-.p/T@..T.-...........!wU..Y-.....(*U.i...D...93..3...fp...8...N..........g3..k...s........Y.&.".....g..?...V....D.e"s..v.}~..<._. (U.OM.B%.=J./....H.}..a..0..N...!.F.<+........&...Y[x-3.p..MA...........RX..,$.."..!.]e..s/......o.5..+..<....:Rq.....?...8z\%B5...z...9\...M.y...`rs9....i..g.......d...>k.............z(2.#..3:>.a...H..7._.q....p<.....V..d.z.C.....M.i..L..........0...l..#.k......N.<...CD..[.Z..v.r.(....4.9...Q....HT...oK.<F_L'.&.g.'...I;.''G........[...:d+M..c..e..a7X....r"R.n>.\x.s...4$...k.m.H.G..Sa..d.E.....=Y.&:..k..Z$.|",.z..F/.....q..O.M...+.#.Z..U.B..)1.&..m@...P."..A.Q...K..w]....o...M.fS|q(%k..n.....\.f..<.?...z..+.[zV.d.Nw....<.../g..qN....G.F..^...?.1.2...C... .V..ERi........W..2<..`........9+.T.."."..C.I....w....]b..+.&B.S....... .Q/...'.+}..(.a...>!.L...W..........}.q\*t.,o....R.....g......Uf.U.#

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDToken503.zip.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):170
Entropy (8bit):4.896125542445159
Encrypted:false
SSDEEP:3:hRFGGdAtHODo5fMoVUmIhzOxxqDhZJsVRKOA8e1nQRSB3W5DzOsVRKOA+BmTXAGe:cGAHymMoW/uahoRKv3nQRSZ+nfRKv+0u
MD5:65D064AC944FB686398DAADC9B100F47
SHA1:6B98DDD261BEA020E5EE606B8551F9B26DEB17AB
SHA-256:14D2EB9AB9DBBE1E710880279319E22B0BB1020582BCCF60212A7B4AC7F812E3
SHA-512:CB41C996190E2894FA82A16431861DF4FE3A2A8AF3150D2C756DDC7C9ED91F449523069952155C91250FC8A19E3796FA233A484D8A4EB00941338FA681B8A151
Malicious:false
Reputation:low
Preview:\0048bc24befde0bb9118c43b194f411f *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/dist/RSASecurIDToken503.zip.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTokenDocs503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):2204745
Entropy (8bit):7.9991713606240005
Encrypted:true
SSDEEP:49152:TxhyqoZRDMdoaawtpPZJgE0IpvR75c+LSkBY:TxMqoZKd7awtJJ0IVR7KWZY
MD5:2F989FE56F4845E037E44F55FD103D05
SHA1:A474A9416ABD11534FE48E980099E1DA1BDA8500
SHA-256:7027E166961050ADC168135553C7D4A8D221C8D4173AE363862F41CEF6FA7271
SHA-512:60AACF5109D7E92A3CD3B6E2E74F2D6BB8ADED7F048F1E97E112211B19AB0CB00E7FF0A450EDB6F324F76E2F7417D7451F41D994EF3F96E217005E5348B65289
Malicious:false
Reputation:low
Preview:PK.........d.R................doc/PK........8f.R..'....G...I...doc/SecurIDToken500Win_base_open_source_copyright_license_information.pdf..sx].7.4..1W....msE...m.ll...7..............g.q...s..1&...(.3#......,.<;.+.......//@...d`o..2&a.H.0....9.r$.,....NVv&.,..'@.w.+...@.D.....7.Y....dm.g$..y~...Os...l.A...V..KB6.NV..$l.y{............. {....#....a-^..(. ......3.;..+..PPD.]..YT.S....7_\B@.. P@TD.......ZX...IX.ID._. am.r..#9;....o.Y~.....Y.:..p2..../1...66........o....Y..n. ..".....L.B.G.... .+$x..CCcT}}C}Up..N....!).....f?.....u.......SCS..-.8!F...wH.5.#.m.A ..(.e#..V.....r.....].A&H.LH..."r.H.$...o.....`"$,.L.........1..+G..a.J$,L.....>.'.hJhhd)h]..?..Yk.l.....0.'.o.U.bPs...5J..P.Z..$..o..sNL#H*7.?.}..HX.{.>.]T,.O.:..0.q.C......P!w.R..!.,..f.w.uk.._#\..?....D....&.G..,...u..3..f."!..~...4......./..oT.................o. k`.r ag..[I..d-`.hnc.._.."99Z....m8..F.70.I...89..%kSK....2.....G....wd......o...L..'....~.bic.P5.....{....dm...]......n.6F.. .G{'.?...._,.#0.G._B..

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTokenDocs503.zip.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):174
Entropy (8bit):4.8840474131090295
Encrypted:false
SSDEEP:3:PhpxVVARRgWGqZMoVUmIhzOxxqDhZJsVRKOA8e1nQRSB3W5DzOsVRKOA+BmTXAGn:PPTVARR6qZMoW/uahoRKv3nQRSZ+nfR8
MD5:58BBBF757FECD166934EF92C0EB1F3B9
SHA1:1D703502CD845B3E5622EC1394EF198F3EDC08C3
SHA-256:1C894B7856EDF4A50ECE6F1288FD45AF78F7C08B8B2FD1D47E197EE46380C32A
SHA-512:B78307DD57AA8A709BDC288217B1E3CF34E0F212FF98EB220F430C87B498DAFBFB0C634704D8E024807E7E937C3CEAF948B20C0C9E716AB986D108F541064C49
Malicious:false
Reputation:low
Preview:\2f989fe56f4845e037e44f55fd103d05 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/dist/RSASecurIDTokenDocs503.zip.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTranslations503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):73583
Entropy (8bit):7.996675795333024
Encrypted:true
SSDEEP:1536:hyLOSN0z0/SMDDwAAxvuSPxVp3SyZA2cFivZwjrcqNZYsKaB:hyNCztMDkjBPHpiyZAMBw/L9
MD5:BB0E54EE41A596B22735E4523BC26EDF
SHA1:72C951E81A5514DAAA39FF236FC07B84E9E458D3
SHA-256:020F2E84BF4CC04304EACE25A886E76C319339D1F0274B5084C3A923D5A92832
SHA-512:8D9DF7F172333618C9EBE89FEBF98B53D823E244146085B16FC94F8E4CD4CC997135E9C5A1674FDC11EFA7DEAE117B54173C73A240ECE69235D3DAB10C574AFA
Malicious:false
Reputation:low
Preview:PK...........R .N.$...........RSASecurIDToken503.ts.].r.7.}.W`.e..kK.6.J.S2%oT.-".W.%..$.3....b.h.c.l......Kl.$....!.h4.....o.\3.....v._o..E"...`+.W?l......]tz.]..^.^...G..G...s:d.[,..cw...D..~........./....H...W.)..t.._..e....g...$.h..M...a....;...CZ.L%T.IDO.@H..x...[..wj...wfFnDG.+M.(..=a....YL..#.J.i..}...S2.kY......5..e.._....YTf..F...$...vQ.3,&.....l.%)......(F_..#N.1l&(.3.{H.,.........s40.....I?.Z`..:.I.4M.../.*...?.....o6.....#?.$F.UuJ.5 ....%..rx..;b<.|8.d...n..........p....x.fj...$!W.3.\1..5...H..~8..2g[.'.........a7^.E...<NGd.!>..si?y.4..... w@/|&#.fP."..9....oc..R.ix..8V>tL.........L8H733f..z.Gb:....7;.d..@h..:..-$.....9..[.../.zD..<.......<.."...%..$...W..'......~.1....A.X...J..D..d$........P.....s;.<. .......q.].f.KBL..:d.%,....I....%d.......)R..}E.K1Q.ih.......y..6.%]...".4(..6*.]1.o..*..8.L...*.<....................Eq.}....,u.9./...G"vQ..S....m.............5..g:.2..k........G....."....Nx.!..cL..D.......5..;...g..e..c..}.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUSBSDK503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):18777821
Entropy (8bit):7.996794393409184
Encrypted:true
SSDEEP:393216:jMq1VYa4XXhdTDwnZdkxfxrb+AAnbWMZ+2X:jPVYa4nXTeAZ+7Z+2X
MD5:88D5CF9271ECCFA6C52EFFB4DE5CE0A8
SHA1:60C4E69FE44269CFDF031D3A85163B1C783E3944
SHA-256:B3E5A374B44089A05A6A0891DBA4DD836FF4A05BA8FAB34E28CD8AD06696162A
SHA-512:439BAE45153AB9643FCE435A9CD1DBEE7024D138AF06FE5DF0819AC4A247087D14D5F4AF1042749436BB5EEC5C39343F9160A987B5568A5FB05C2B3167324AD2
Malicious:false
Reputation:low
Preview:PK........U..R..{~kk..........QtCore4.dll.y|T..8~'3....3,2.H.h.q....c.L2.{.D.,....FZ7..E.E.(..o.u.J.......h."Z.I., ...h.p..q...P...<..;w..m...../...n.<.9.y.s..,5.V.vA......a.......m.0d..!........xc..?[T.`..,.w}a..n.1Xx.O...n(......S.....7x."..........6~g=.\.<\w.y...:a..t]..9.N\.W.......'.]..].X....l..w~...U.V?....W..z...s....&.^....Xn.:.V...w...m...x.+.-...$....a..z....I........\.......<"..W.7^....?...w.O....P....'..s.(6.s.'..0.+<{*~8O..>..K..[.+f.|^..p]Q...a...i..a.y.....'....#.B'\.............A...y.....'.:B]..p.HK.=o..pO4...ypm>7C..^w#$.QF.....--]EvJ...Y.6[...s.Z.uu.<lI#../......3_...s..H}.x.....R..)............[lAQf[.?..$Af.2./*.....l1...g....9...2.y.9'.c?......&9.u.rdiQ.."@...h....I}.T,@...|.b.c1W.hgC6J.xl.."<Z,....eW.E.p.Zk.&....v6..~...V.t_.L.3.C....D.vDf..g .....j~...:.....`.x.N.YR.]W.D.n..c}H.nm2A{..V.....7.S......j..I.3.7.........3...~.L.3.{..|...!.y._...,..._.??...^..@....f....@6..6%.Gzi.p...s.d.vOZ..~Y.o[<._.4...$....,...|.......

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUtils503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):21214
Entropy (8bit):7.9894527648373845
Encrypted:false
SSDEEP:384:PNoj91270VRJFKNGFFucidgrihm2+at8VdnB6VLNzO1j6/pTycuRZBo61Vlo:PMOiFK8FpHihm2duVdB6VLNaY/huVBVi
MD5:B1B46A0014D6438C8DE947A0509EC627
SHA1:10BA7D5409DA50215F37DEE4A88B53B47F640A23
SHA-256:3A95CE9F5047A75E910D6F7BA852FC197A7C668A19A520963FCB73400A0CDA67
SHA-512:96AC7C7767B3D797AE8A30DC0A69FC2C4E179081E5872064CE251566209196B238D1A6DAAE651B24D86D4E51F01107FB343998039A026E9F924320BF666A498F
Malicious:false
Reputation:low
Preview:PK........`f.R.nv.8R..vd.."...Token_Import_Utility500_readme.pdf.|et\....9ff.n333333C..3.1%f.9fff...9....g.]s.;?^.^..jmIU..vU.J......F6D...YD8.3;13...5"//..........)1.I......dR .0s2...X..\L..,L..~a.`a.$.!f..$...z...f....!..._c....C.....L.............1+.........31....$ne.j..$nk.j..-LR.:..!aN!vq.8...]L...Wvq.VV.;+..+@.........f......U...s.9.89...8........M.<u~S...}e...D._STf.5..p.$.d.=..?.deRvpp....*.....L.^.fL..f.L.:.b 1...\\.....,7..MQ.....A...#T........H..B.%..PN@#8.I.....!<...$..._......Zll.R........rA@.@r.....~q............9".3".....8"...>+...K....d./..~....._L........B...o........tu.tuM.w...."..*aB..".....`C`92..rJ.@G.`.Z..=....c$.'C`Mn.@....2/.~..<.7.0........B..."B...@qaa&........9.G.....)....3s525r5"..CT.Fvf...`..J...^........9.....&.w........../5.u...(.Y........b..w..o.....W.?*.7.s4U._.4.=......._s.u.....9..f/.....B._ja.jf....0...%5._%...............<u~...kn.\. /.K.~....W......_c.7..f..n.&.p.Ov);....1......p...........Y...]\.._../0.........1V.j.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUtils503.zip.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):170
Entropy (8bit):4.942318253746083
Encrypted:false
SSDEEP:3:qx/lRaa59+qR5ZMoVUmIhzOxxqDhZJsVRKOA8e1nQRSB3W5DzOsVRKOA+BmTXAz3:qlloIn5ZMoW/uahoRKv3nQRSZ+nfRKvg
MD5:02DF77533703A976C74039994494228F
SHA1:F128EDF12E9F25018D01D1DFE3556C466DC4DD3B
SHA-256:65818F622AEDEDC0601BA264C81E70452BFA63D75D9C5A0B0524DDD70ED237AC
SHA-512:A937C874A60CFA54A15B54A4E5B95E1D9ADEE4D0637C38D73F7F52D968FB1A338F67144F2C0C5533D27CC9FF939EB30CB92E8A5921C5BC58D6E8B222F21D79DB
Malicious:false
Reputation:low
Preview:\b1b46a0014d6438c8de947a0509ec627 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/dist/RSASecurIDUtils503.zip.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDWebSDK503.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):40903
Entropy (8bit):7.9881686189237495
Encrypted:false
SSDEEP:768:1/ay8eIGg36+oOg1lRjY52iyn3oDNuGr+NlLgRFheFbpCXLNo:1/KGg36Pp1lRY52PnYDNu5Uss6
MD5:EE71318845DFE171EB2B17FA9EB966D5
SHA1:B01B78397FB17B76B6841A183E1BAA4DB6438DEF
SHA-256:CD7A9F15BA327B7D6D0C8D98A1DB7F3E761F5AB933F04AFCD5E03BD731E49B28
SHA-512:3C7ED3832CED01D3024CF952D049A5FBAA6AB974E7D9DD79194F5701003EC9783D7AA1A8984117B1A9DE47D61A56826962CCDDB39B4BB9E3CC9827A00F58E628
Malicious:false
Reputation:low
Preview:PK.........R................doc/PK.........d.RE.q-w...........doc/readme.txt}.MN.0....z...UAb..RX..T. $v.=IFr.h<i.%c. ~$......o......i...b..:.X._.......F(...V....%.aB>.......X.h... .B.i.(.z.V....#..b.G<2..'.!...j.....*......<'.r.......|vB...H!{.[..?*EG2Ad.A.R..{.2J.<..&`..a......2.-..H..:..`u.s.$......9.._7[....%.....q..#."k.....r...:.M.~p8.....L......~o.&.z)Aqmlv.r..`.v..-.`...l~........CCa1.L{2].C.x.....\S.L..tF..E..'Vq.%...pK`.PK........vf.R....*......!...doc/WebID_Browser_integration.pdf..p]...x....t........b;vbff......!fNL1.....^..{^......U.H.h.ik..se...).vVn.......Dvvvr ...-......#..l... ggS .....eS&gg.b.$.`....).s.i...pp...s.s.sp.._.B.9Z.j..?..>8.........b.vp}..w.wwpt%.bS..,l.......^.I....lR..n....J..qJrqH.....s.p..K..9x$8...y..8%_..y......R.@.$7..(.(7..SB..G......M.....k...,.^..|QQ.M..h.fM...K..?......."....y._L.....b.Q.Y.i.s........2u@A..63.@7113.....B.%AoA........D..."..~./.....a.....@d.Wd....j.}..r.6.3A.k(h|...*'.....Oc....

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSAWebAgentTemplates.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):34969
Entropy (8bit):7.9400022774965535
Encrypted:false
SSDEEP:768:kWBeQv1LwHxpeao6y5NlPbPcaSNURhmKEwTSNURW/mdc6UDzcC:kye41SeR55NlzdtRhRfTtR5eP
MD5:606EFA2DE1A08D8951881131A02D1B5C
SHA1:7153119060DF660C3162B01BD30FEB34EA34FCB0
SHA-256:C7649217B405963385B744B74E80E505B53C350E30315515C2D2E4681B3B962A
SHA-512:F4523F9E60C725E3116A858509AE9FA56E87304FEB886C0EF151D02D4F249A059B05C1E9537C8FD18314B16CF51182F2B775BC5962283586ADFBCD43234A2156
Malicious:false
Reputation:low
Preview:PK.........R................templates/PK.........d.R.SV.....@.......templates/newpin.htm.X.s.F...g.?\4.X.0..C..S....f....w:...j.N=..L...{:}...<..0cN{............P..+....x.#..R1."7."......)$...,G...M<.....S:......$#Z..}ur..f).d............stH.#@......z..:;:|.....N.O.9.... .......D....F.N.@^q.H..0Q.....<Nc.....$.&Y......*`>_.x.......R`.3........z.V..fR.J......t-.@+.b5W./..........<([{T.... .....).*.k .....5.......&........%.$.&...I.2.....^.T..\.....7...N.I...Q..<..m..2?...k..........#.e#[.UU...&..F..!. `&cU?..S...l."....K#..R...p..z....c.....E.BsUe ...Q.4S..yq1...Tr.J...9.=.8.$P.Ki....vf._O.}r..LR.>.m..ij;c..*...s...I...JO;...C..q.ZZ.PI%,.. j2..Lr..z2...?A(x..#3......0`.yG..xLE.C&m..K6...\.. o...Z.....i...vA+...|...)..:GV .=.V.....b.S.....J...#...6@b..<.'G.....J.07N.zM...(L..K6.:...2.8..niL.}...2....c%.$.4..(..w...?.{.q..?N.....-S.idBgT..4...^=.r.....K.5.}.#.e...b9Iy./....p......E..&..=.....#T..q..?.Gg*.Z....._W.9..W..+.W....[*...[.a..Qo4.M..H

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_base_open_source_copyright_license_information.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text, with very long lines (327)
Category:dropped
Size (bytes):328
Entropy (8bit):4.820615114827762
Encrypted:false
SSDEEP:6:H7SVcsMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xJh2chfs+1:bSVcto8dS5SZAflmpj7JEJZJsv+r6KTP
MD5:5871112D15DC194F0824298547D1D481
SHA1:B7871A3285777BD69F9F216B0C8A60EB9CED6526
SHA-256:C851105E27B92D9BAD1FA0DAA845C77523DFB9706DD94973C1DC471D168D55F9
SHA-512:63BD4B90B9A628D71467D0AFBDA108B4BC7B0F2A0B2D90F89EFC6EC871C285A895777136119F970E91E54D66979822C3C10EFE372963049E8C27E280038FD905
Malicious:false
Reputation:low
Preview:\9d0db2a545fff5f3e34009d0704e4036 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0/output_files/SecurIDToken500Win_base_open_source_copyright_license_information.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_gplv3_open_source_copyright_license_information.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text, with very long lines (328)
Category:dropped
Size (bytes):329
Entropy (8bit):4.862546639638478
Encrypted:false
SSDEEP:6:yvwizu9MoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xJh2chfL2:JUuuo8dS5SZAflmpj7JEJZJsv+r6KTIZ
MD5:37B21BA69532FFD53271F6355FBD4934
SHA1:3EFDB49698021990AC402AE91C334B7CBFA49F89
SHA-256:382E585D089C602F8AF1B07E598C535A0D1E80AE005BB9BC9BB0EDAA6C935511
SHA-512:E86EC7A7D2B75AFCF0C7A62BA6D028B8605B7C7CD534CFB869364B0C45BC29A8484A207016FE9E4B6CC592F58AE67EF36E3A254C2D2FD9A0D835997A373E37C3
Malicious:false
Reputation:low
Preview:\b45864a551c6c2aa6a594ee75be66c76 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0/output_files/SecurIDToken500Win_gplv3_open_source_copyright_license_information.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_quickstart.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):292
Entropy (8bit):4.830171196513125
Encrypted:false
SSDEEP:6:qUQZdn31gfZMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xJh2s:qJZdna6o8dS5SZAflmpj7JEJZJsv+r6Q
MD5:CFBE6C28D12B1FF1FEB6B492F856A2DC
SHA1:11AA9EE0C4C3A3D2A9C43A4A51D48A4640414380
SHA-256:463B76E7C88C62A8A8AEE54E3333D43CC48D21093955FF63EEAFA59A0DA1723A
SHA-512:C6C08D73D458E8BFA74A894095F68E938ED4DCF5A59105F899A52FDA6F1CA18CFD5368B0DB35245A8016C0FF9FA8CBDE72A27E6ED24B9C9A83878410C9612857
Malicious:false
Reputation:low
Preview:\b0666e1ee4abe4591f8bb3e5b3891ff0 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0/output_files/SecurIDToken500Win_quickstart.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_release_notes.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):295
Entropy (8bit):4.773087747595716
Encrypted:false
SSDEEP:6:RnZMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xJh2chfTl1:Mo8dS5SZAflmpj7JEJZJsv+r6KTIsJbl
MD5:E64F14EA613707036BCE00E048A3344B
SHA1:DAFC87821D4ED600F004B6BF364CFC16FCDD647B
SHA-256:EC16A88D26B35FD361B0C89E91CD9E1CF5E9793AD8A89948452D24F6A10CA2BA
SHA-512:F2083958A44660FD597400402E580E86CA1813C17396CECC25A85C11DE281D9B2965A12451E33C9E64EA98E9B6142290DE402B0AC97173DB4AD5223D7C09AC54
Malicious:false
Reputation:low
Preview:\aa7ee72e20f7bbe71142e8d8b704d120 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0/output_files/SecurIDToken500Win_release_notes.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken501Win_release_notes.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):297
Entropy (8bit):4.825990529510777
Encrypted:false
SSDEEP:6:sGaFL3ZMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8x5k2chLsb:2Dyo8dS5SZAflmpj7JEJZJsv+r6KTIsz
MD5:325786CFF31F8DDA7722388A7E27F7C0
SHA1:ED7EC6B8D4031BC202C0CDD61A94E9E49E031062
SHA-256:BBB6EFB42D2AA73F714F24A6C77752C654475CB8E454AE62797BE08D8420CAB4
SHA-512:FE56A65BC7F651E8657066DB78CDD568D07239BD11162593EDD2B455BB06A49E562EA538DE43A4918C9E73E7B7DCFA6682E3947431E4BB80AD3A12C69311EB95
Malicious:false
Reputation:low
Preview:\b78a388b9587897c92e011cd3551dd95 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0.1/output_files/SecurIDToken501Win_release_notes.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken502Win_admin.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):289
Entropy (8bit):4.768334742076053
Encrypted:false
SSDEEP:6:5UBMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xth2chdTzdl:5U6o8dS5SZAflmpj7JEJZJsv+r6KTIs9
MD5:C447F35EEA26BE521F2601AC4F876C8E
SHA1:1ADED71BAC7E0004F6A455B834A9880BD9FAB6AC
SHA-256:0D0632AE9E8904214E6ADEB73FE8D9D5B1B04112DA0157BFB1AD1D4CC0399D28
SHA-512:AC52568730FDD4A36F78C733CA787614552DD17D755BB1EBEB40D7409D259813400A44AAD1561424FF72600FD379EA22ADC41AA6A32C48A1BE7EA36D76D9A15C
Malicious:false
Reputation:low
Preview:\c03e2f2d2df9ee24d2e44cce9d1dc0c6 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0.2/output_files/SecurIDToken502Win_admin.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken502Win_release_notes.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):297
Entropy (8bit):4.810704285073604
Encrypted:false
SSDEEP:6:nOn31Dd3o1kMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xth26:nOnZd3oPo8dS5SZAflmpj7JEJZJsv+rt
MD5:6F4DC80CA0D254EED08BF0E635BCD6C4
SHA1:6A9B88700264D6EBD1028D74EE4378E95372F874
SHA-256:50BE646CAD4C7F811682132B53658716B1CE792CD13B40F8B8134A7B537FB11A
SHA-512:E5F539B42516469F6C340D8545D94CEB61256857F2C8FEE9C36C445B669D8C8A151A781E27783FA7E5D136ED38072443A10F45E9FD6AE298219D9DCE23E37F65
Malicious:false
Reputation:low
Preview:\ef302b16b6c3dabe5ec9f413ff65c18d *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0.2/output_files/SecurIDToken502Win_release_notes.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SoftwareTokenProvisioning_admin.pdf.md5.rtf

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:ASCII text
Category:dropped
Size (bytes):294
Entropy (8bit):4.805430804989561
Encrypted:false
SSDEEP:6:ZAH4/FyZMoW/uahoRKv3nQRSZ+nfRKvymp/MK+EJEJZsysvLayO6KTI8xJh8D0qU:Ze4Nto8dS5SZAflmpj7JEJZJsv+r6KT9
MD5:C3162E3AB5CD8F466C845C51ED91DB30
SHA1:DD911CE51973A066B80A0B792F3DB82DA4E70580
SHA-256:45CB94831F7E189CDF55EB6EB685C9154563E00C3591FC671C98DE550DCD6F4E
SHA-512:62A0BAC279389C87AE66A12C8B2850AFA71049908B1D1502F7F6746AEB10A2D4DFF611602E51EE820CD0EC984167B42D2BF5C73134F3F456F26323F41335F141
Malicious:false
Reputation:low
Preview:\3c58b393ec1ac6e80fe66e540314d5b8 *E:\\jenkins\\workspace\\rel-Desktop-Token\\release\\desktoptoken-5.0\\sw-authenticators\\src\\desktoptoken/../../../../../user_information/authentication/authenticators/software_token/desktop_token/windows/5.0/output_files/SoftwareTokenProvisioning_admin.pdf.

C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\testSDK.zip

Download File
Process:C:\Windows\SysWOW64\7za.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=store
Category:dropped
Size (bytes):66275746
Entropy (8bit):7.998429687091168
Encrypted:true
SSDEEP:1572864:guID6e9OTTxky21Ig1lRoYeu0dzNaLUzEmamcY1jdO4p4Y2:guTe9UTx+1Ig1lRoYIzNGiEmamcY15e
MD5:641E7B68A2E8CEE11662B328C48F4ECA
SHA1:0FB30A2557074DAA870B6A28B7B577496AB33713
SHA-256:FF6E0D314ABC7AADB6ECCA895306C5145A0A31D646E63AE18365BF9C70C48924
SHA-512:0B09D0792D59DBDC9687C0584E85F713EDEB825953A9EC3364E69D0EE8BF8A2DD5D39A7D165E547184B9BA4324C7F5DDBD47FAB7E0C6FD88BB445E597A791F1C
Malicious:false
Reputation:low
Preview:PK...........R................testSDK/PK...........R................testSDK/gpotemplate/PK.........d.Ra.V.....g!..'...testSDK/gpotemplate/RSASecurIDToken.adm.X]o...}....)...p..-.p/T@..T.-...........!wU..Y-.....(*U.i...D...93..3...fp...8...N..........g3..k...s........Y.&.".....g..?...V....D.e"s..v.}~..<._. (U.OM.B%.=J./....H.}..a..0..N...!.F.<+........&...Y[x-3.p..MA...........RX..,$.."..!.]e..s/......o.5..+..<....:Rq.....?...8z\%B5...z...9\...M.y...`rs9....i..g.......d...>k.............z(2.#..3:>.a...H..7._.q....p<.....V..d.z.C.....M.i..L..........0...l..#.k......N.<...CD..[.Z..v.r.(....4.9...Q....HT...oK.<F_L'.&.g.'...I;.''G........[...:d+M..c..e..a7X....r"R.n>.\x.s...4$...k.m.H.G..Sa..d.E.....=Y.&:..k..Z$.|",.z..F/.....q..O.M...+.#.Z..U.B..)1.&..m@...P."..A.Q...K..w]....o...M.fS|q(%k..n.....\.f..<.?...z..+.[zV.d.Nw....<.../g..qN....G.F..^...?.1.2...C... .V..ERi........W..2<..`........9+.T.."."..C.I....w....]b..+.&B.S....... .Q/...'.+}..

C:\Users\user\Downloads\88aafe29-d2bf-4362-aaf9-3d4001f95ec3.tmp

Download File
Process:C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):15779
Entropy (8bit):7.989006623113158
Encrypted:false
SSDEEP:384:Rx3Q+kY9SPm+iSRSPySegjru8AE14jf3Ck4N:n3Im9yZgjct6k4N
MD5:9F7A133123D00111EF006C237ED0AE1D
SHA1:A35E08C1432C7C9D57EAA21DCAE8495A32AFC219
SHA-256:C8ACB0C74018A362D34E4A3275BCC244F2A1742410BE4638E34EE28CFBC6289E
SHA-512:30DC4929321132C40174861EA9C3D2B34ACA1B903E1A5F4988CFFFF48B8859F7873B4B3240A9CF7496D8EAE89B4D9F7C824917561113AAF53701B3A57F7E125B
Malicious:false
Reputation:low
Preview:PK.........R|.C..N...P......RSASecurIDPluginSDK503.zipt.Sl....X.m....m..m.m....'....&........J..`0@....t......&..J....7.P!...\...R...B........)...K....'.O-...6D.5..V...0....,.R.yKp.q...o...n2.E..y.T.{.V.........'..=......w..H.......I.s.Yp...........@.....&eK\.V.M...*.*..w..v.5..[>...H...B........eZB.0r_.:.G....k.&..%.M...\Q&..s.i.0..;.......x..&.V..4..TP..uUU....S.9..V.p...6...a....._......|.mU.Y......?wt..N1.]..P.,.3Rs.GI.f....V].!..o.=..[.h.....:?Of.V.e.....s*J3L.....x.9..<....9.......G..5..../....deL..zh.B....a.G==.#..I..dc,....(9T0.(b..=h....}'....`.E.WK{....0..X)..&.l....S[9."...S-(...+..[....J"...3S..|um.p.. \ew>.9....p~....n....I#.p@.$$cx.C...]q%.e:IgV..D.:u:.2JK..Dz......k..s...q....@ep.B.....x...8{.F+.f..+$..._V.._5....&.z&S>H.U...1..o.....d..9.lF...W...$......Q..#..w.P..s.sZ,j..g...-..I......*#w..S.'Y?c(.K...q..t......{HX.*.....>.... ..U^~.~B.Y.NY./*c...0u..d.!....A...;......?...h.._Eq.#EZ.{...>.....~d.i..

C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip (copy)

Download File
Process:C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):148513035
Entropy (8bit):7.998942661733612
Encrypted:true
SSDEEP:3145728:gnj2IhvjxhCAAOxyPVO7CUH1jwx1BQ0exK9TizAD7Qz9Q65iOmsbgWKT0:gnj2YjxhAOMsHYi0ecL7q9RTMWe0
MD5:38170C86AC1A73AEA43DF7227D58B808
SHA1:B66D95DAF9751E7DD09B3B4CFFF01CC750F4A606
SHA-256:971369982192828DBCC0357BC30E500201FFA88616379E4EF8ACF46B9811BD88
SHA-512:CD1CF1430ACCF98FD713379EEEF359E158DCD342BBAFBFF3BDC6B0871B5FCE578421509C2B6990B9BE4B05D679026C61D97F007FCE92FCC552BF8482DD86E1F1
Malicious:true
Reputation:low
Preview:PK.........R|.C..N...P......RSASecurIDPluginSDK503.zipt.Sl....X.m....m..m.m....'....&........J..`0@....t......&..J....7.P!...\...R...B........)...K....'.O-...6D.5..V...0....,.R.yKp.q...o...n2.E..y.T.{.V.........'..=......w..H.......I.s.Yp...........@.....&eK\.V.M...*.*..w..v.5..[>...H...B........eZB.0r_.:.G....k.&..%.M...\Q&..s.i.0..;.......x..&.V..4..TP..uUU....S.9..V.p...6...a....._......|.mU.Y......?wt..N1.]..P.,.3Rs.GI.f....V].!..o.=..[.h.....:?Of.V.e.....s*J3L.....x.9..<....9.......G..5..../....deL..zh.B....a.G==.#..I..dc,....(9T0.(b..=h....}'....`.E.WK{....0..X)..&.l....S[9."...S-(...+..[....J"...3S..|um.p.. \ew>.9....p~....n....I#.p@.$$cx.C...]q%.e:IgV..D.:u:.2JK..Dz......k..s...q....@ep.B.....x...8{.F+.f..+$..._V.._5....&.z&S>H.U...1..o.....d..9.lF...W...$......Q..#..w.P..s.sZ,j..g...-..I......*#w..S.'Y?c(.K...q..t......{HX.*.....>.... ..U^~.~B.Y.NY./*c...0u..d.!....A...;......?...h.._Eq.#EZ.{...>.....~d.i..

C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip.crdownload

Download File
Process:C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
Category:dropped
Size (bytes):148513035
Entropy (8bit):7.998942661733612
Encrypted:true
SSDEEP:3145728:gnj2IhvjxhCAAOxyPVO7CUH1jwx1BQ0exK9TizAD7Qz9Q65iOmsbgWKT0:gnj2YjxhAOMsHYi0ecL7q9RTMWe0
MD5:38170C86AC1A73AEA43DF7227D58B808
SHA1:B66D95DAF9751E7DD09B3B4CFFF01CC750F4A606
SHA-256:971369982192828DBCC0357BC30E500201FFA88616379E4EF8ACF46B9811BD88
SHA-512:CD1CF1430ACCF98FD713379EEEF359E158DCD342BBAFBFF3BDC6B0871B5FCE578421509C2B6990B9BE4B05D679026C61D97F007FCE92FCC552BF8482DD86E1F1
Malicious:false
Reputation:low
Preview:PK.........R|.C..N...P......RSASecurIDPluginSDK503.zipt.Sl....X.m....m..m.m....'....&........J..`0@....t......&..J....7.P!...\...R...B........)...K....'.O-...6D.5..V...0....,.R.yKp.q...o...n2.E..y.T.{.V.........'..=......w..H.......I.s.Yp...........@.....&eK\.V.M...*.*..w..v.5..[>...H...B........eZB.0r_.:.G....k.&..%.M...\Q&..s.i.0..;.......x..&.V..4..TP..uUU....S.9..V.p...6...a....._......|.mU.Y......?wt..N1.]..P.,.3Rs.GI.f....V].!..o.=..[.h.....:?Of.V.e.....s*J3L.....x.9..<....9.......G..5..../....deL..zh.B....a.G==.#..I..dc,....(9T0.(b..=h....}'....`.E.WK{....0..X)..&.l....S[9."...S-(...+..[....J"...3S..|um.p.. \ew>.9....p~....n....I#.p@.$$cx.C...]q%.e:IgV..D.:u:.2JK..Dz......k..s...q....@ep.B.....x...8{.F+.f..+$..._V.._5....&.z&S>H.U...1..o.....d..9.lF...W...$......Q..#..w.P..s.sZ,j..g...-..I......*#w..S.'Y?c(.K...q..t......{HX.*.....>.... ..U^~.~B.Y.NY./*c...0u..d.!....A...;......?...h.._Eq.#EZ.{...>.....~d.i..

Static File Info

No static file info

Network Behavior

Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:36:48
Start date:28/10/2024
Path:C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:0x7ff76e190000
File size:3'242'272 bytes
MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:2
Start time:03:36:50
Start date:28/10/2024
Path:C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,8629211986149783283,5582461857598252456,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:0x7ff76e190000
File size:3'242'272 bytes
MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:3
Start time:03:36:53
Start date:28/10/2024
Path:C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip"
Imagebase:0x7ff76e190000
File size:3'242'272 bytes
MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:7
Start time:03:37:17
Start date:28/10/2024
Path:C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
Imagebase:0x630000
File size:12'800 bytes
MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:8
Start time:03:37:17
Start date:28/10/2024
Path:C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
Imagebase:0x5f0000
File size:289'792 bytes
MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:9
Start time:03:37:17
Start date:28/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:21.4%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:5.5%
    Total number of Nodes:73
    Total number of Limit Nodes:4
    execution_graph 1172 f3a933 1175 f3a962 ReadFile 1172->1175 1174 f3a9c9 1175->1174 1094 f3a172 1095 f3a1c2 FindNextFileW 1094->1095 1096 f3a1ca 1095->1096 1097 f3afb2 1098 f3b010 1097->1098 1099 f3afde FindClose 1097->1099 1098->1099 1100 f3aff3 1099->1100 1148 f3a370 1150 f3a392 RegQueryValueExW 1148->1150 1151 f3a41b 1150->1151 1152 f3ab76 1153 f3abe6 CreatePipe 1152->1153 1155 f3ac3e 1153->1155 1176 f3b1b4 1178 f3b1d6 GetSystemInfo 1176->1178 1179 f3b210 1178->1179 1121 f3a5fe 1123 f3a636 CreateFileW 1121->1123 1124 f3a685 1123->1124 1125 f3a962 1128 f3a997 ReadFile 1125->1128 1127 f3a9c9 1128->1127 1180 f3a120 1181 f3a172 FindNextFileW 1180->1181 1183 f3a1ca 1181->1183 1137 f3abe6 1138 f3ac36 CreatePipe 1137->1138 1139 f3ac3e 1138->1139 1184 f3a2ae 1186 f3a2b2 SetErrorMode 1184->1186 1187 f3a31b 1186->1187 1156 f3a850 1157 f3a882 SetFilePointer 1156->1157 1159 f3a8e6 1157->1159 1109 f3b1d6 1110 f3b202 GetSystemInfo 1109->1110 1111 f3b238 1109->1111 1112 f3b210 1110->1112 1111->1110 1113 f3a716 1114 f3a742 CloseHandle 1113->1114 1115 f3a781 1113->1115 1116 f3a750 1114->1116 1115->1114 1160 f3a6d4 1161 f3a716 CloseHandle 1160->1161 1163 f3a750 1161->1163 1117 f3a2da 1118 f3a306 SetErrorMode 1117->1118 1119 f3a32f 1117->1119 1120 f3a31b 1118->1120 1119->1118 1164 f3a5dc 1166 f3a5fe CreateFileW 1164->1166 1167 f3a685 1166->1167 1133 f3a882 1135 f3a8b7 SetFilePointer 1133->1135 1136 f3a8e6 1135->1136 1140 f3aa46 1141 f3aa6c CreateDirectoryW 1140->1141 1143 f3aa93 1141->1143 1188 f3ad04 1189 f3ad2a DuplicateHandle 1188->1189 1191 f3adaf 1189->1191 1192 f3af8b 1195 f3afb2 FindClose 1192->1195 1194 f3aff3 1195->1194 1196 f3aa0b 1199 f3aa46 CreateDirectoryW 1196->1199 1198 f3aa93 1199->1198 1200 f3a78f 1201 f3a7c2 GetFileType 1200->1201 1203 f3a824 1201->1203

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00F321F0 1 Function_010F0809 2 Function_00F3A1F4 3 Function_00F323F4 4 Function_010F0606 5 Function_00F3A5FE 6 Function_010F0001 7 Function_012B0739 8 Function_00F3AAE0 9 Function_00F3ABE6 10 Function_012B0C3D 11 Function_010F0718 12 Function_010F082E 13 Function_012B0E08 56 Function_012B0BA0 13->56 14 Function_00F320D0 15 Function_00F3B1D6 16 Function_00F3A6D4 17 Function_00F3AADA 18 Function_00F3A2DA 19 Function_012B0006 20 Function_00F3A5DC 21 Function_00F3A7C2 22 Function_012B0E18 22->56 23 Function_00F3AEB2 24 Function_00F3AFB2 25 Function_00F3B1B4 26 Function_010F0648 34 Function_010F066A 26->34 27 Function_012B0C60 28 Function_010F0040 29 Function_00F323BC 30 Function_00F3A2AE 31 Function_00F3A392 32 Function_010F026D 33 Function_012B0748 35 Function_00F32194 36 Function_00F3A09A 37 Function_00F32098 38 Function_00F3B49E 39 Function_00F3B39E 40 Function_010F067F 41 Function_00F3A882 42 Function_00F3A486 43 Function_00F3AF8B 44 Function_012B0C50 45 Function_00F3A78F 46 Function_00F3AC8E 47 Function_00F3A172 48 Function_00F3A370 49 Function_00F3B470 50 Function_012B0CA8 51 Function_00F3B276 52 Function_00F3AB76 53 Function_012B0DA2 53->56 54 Function_00F3A078 55 Function_010F0784 57 Function_00F3A462 58 Function_00F3A962 59 Function_00F3A566 60 Function_00F32264 61 Function_00F32364 62 Function_012B05B1 63 Function_012B02B0 63->4 74 Function_012B0798 63->74 94 Function_010F05E0 63->94 64 Function_00F3AC6C 65 Function_00F3B052 66 Function_00F3B351 67 Function_00F3A850 68 Function_012B0B8F 69 Function_00F32458 70 Function_00F3B15D 71 Function_00F3A45C 72 Function_010F05BF 73 Function_012B0C99 74->4 74->27 74->44 74->50 74->56 74->68 74->73 74->94 75 Function_00F3B246 76 Function_00F3AA46 77 Function_010F07B6 78 Function_010F07B2 79 Function_00F3A933 80 Function_010F05CF 81 Function_00F32430 82 Function_00F3A23A 83 Function_012B0DE0 83->56 84 Function_00F3A33D 85 Function_00F3213C 86 Function_00F3AF22 87 Function_00F3B121 88 Function_00F3A120 89 Function_00F3AD2A 90 Function_00F3A02E 91 Function_00F3A716 92 Function_012B02C0 92->4 92->74 92->94 93 Function_00F3B01E 95 Function_00F3AF00 96 Function_00F3AB06 97 Function_00F3A005 98 Function_00F3AE05 99 Function_00F32005 100 Function_00F3AD04 101 Function_00F3AA0B 102 Function_012B0DD1 102->56 103 Function_00F3A50F

    Executed Functions

    Function 00F3B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNELBASE(?), ref: 00F3B208
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: e77a7a047147d80a4956c6088d3d33520e1aaaa3a24b57fd30694ce5f02bf261
    • Instruction ID: 622f96b1b6de7eb4a31605013264ad7cdb75750b7dc8a5081a8e0b994b9366b8
    • Opcode Fuzzy Hash: e77a7a047147d80a4956c6088d3d33520e1aaaa3a24b57fd30694ce5f02bf261
    • Instruction Fuzzy Hash: 7D01AD719042409FDB10CF16E885B6AFBE4EF45331F08C5AADE498F256D3B9E504DBA2
    Function 012B0C99 Relevance: 6.3, Strings: 5, Instructions: 86COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 12b0c99-12b0ce1 3 12b0d0e-12b0d16 0->3 4 12b0ce3-12b0d0c 0->4 8 12b0d1e-12b0d92 3->8 4->8 18 12b0d99-12b0dcb 8->18
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: Ppj$[M6$`nj$`nj$e]Nj^
    • API String ID: 0-2018951798
    • Opcode ID: 0ac5083001fd23a245c867f88b892b48c3559016fd8c2fde113e5ebc4ecff7d2
    • Instruction ID: 89fc61e6814bd9100d49432ce9eefa41faf83ebc1ee7672a64f11dd15839a306
    • Opcode Fuzzy Hash: 0ac5083001fd23a245c867f88b892b48c3559016fd8c2fde113e5ebc4ecff7d2
    • Instruction Fuzzy Hash: AE2138747002108FCB55EB3A84417AEBBD3AFC5204B45842DE546CB392CF3AED068795
    Function 012B0CA8 Relevance: 6.3, Strings: 5, Instructions: 82COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 21 12b0ca8-12b0ce1 24 12b0d0e-12b0d16 21->24 25 12b0ce3-12b0d0c 21->25 29 12b0d1e-12b0d92 24->29 25->29 39 12b0d99-12b0dcb 29->39
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: Ppj$[M6$`nj$`nj$e]Nj^
    • API String ID: 0-2018951798
    • Opcode ID: 2918dfd0b12f97e03f16a00896f84322fcc6f02cfde0a2ac48698650e57066a4
    • Instruction ID: e2f4e7ada52eec4fb43c48fc2cf51f2379b2f77f5314b8bc08572409eee1fcf4
    • Opcode Fuzzy Hash: 2918dfd0b12f97e03f16a00896f84322fcc6f02cfde0a2ac48698650e57066a4
    • Instruction Fuzzy Hash: 9321F3707002108BC754EB3A85417AEBBE7AB88204B45842CD186CB382DF7AAD0287D5
    Function 00F3B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 42 f3b246-f3b2eb 47 f3b343-f3b348 42->47 48 f3b2ed-f3b2f5 DuplicateHandle 42->48 47->48 49 f3b2fb-f3b30d 48->49 51 f3b34a-f3b34f 49->51 52 f3b30f-f3b340 49->52 51->52
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F3B2F3
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 201f5f63f9b5c5cff5c3cfe9d08c443b6d0ac9798f51da9b5c994786f386ec3a
    • Instruction ID: 0c73cd716351f0265326f6d3ff950d0c56973c5198d6b291a72bc21230f4c6a7
    • Opcode Fuzzy Hash: 201f5f63f9b5c5cff5c3cfe9d08c443b6d0ac9798f51da9b5c994786f386ec3a
    • Instruction Fuzzy Hash: A831C6714043446FE7228B61DC45FA7BFBCEF45324F04449AE985CB152D378A909DB71
    Function 00F3AD04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 56 f3ad04-f3ad9f 61 f3ada1-f3ada9 DuplicateHandle 56->61 62 f3adf7-f3adfc 56->62 64 f3adaf-f3adc1 61->64 62->61 65 f3adc3-f3adf4 64->65 66 f3adfe-f3ae03 64->66 66->65
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F3ADA7
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: d1fab0ac9b5eba6dc401dbf14565101ef78847653f99303f8a3e35cd4f80eb47
    • Instruction ID: fb125ea63a82bdd4997b4137bb622daf6feab296d661569c01d55d7d6d93a967
    • Opcode Fuzzy Hash: d1fab0ac9b5eba6dc401dbf14565101ef78847653f99303f8a3e35cd4f80eb47
    • Instruction Fuzzy Hash: 6831D371404384AFEB228B65CC45FA7BFACEF05224F08489EF985CB152D328A809CB71
    Function 00F3AB76 Relevance: 1.6, APIs: 1, Instructions: 92pipeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 70 f3ab76-f3ac67 CreatePipe
    APIs
    • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F3AC36
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: 42400c7ad6803493bd83dff01473d7a9ce771ad0916d19678571ac498b39ff5e
    • Instruction ID: 102efe696b7943ac2c571caafdbbbb7cc4bd81d748aab142378bec38a20cd3aa
    • Opcode Fuzzy Hash: 42400c7ad6803493bd83dff01473d7a9ce771ad0916d19678571ac498b39ff5e
    • Instruction Fuzzy Hash: 05317A6250E3C05FD3138B358C65A65BFB4AF47610F1E84CBD8C48B1A3D2696909C7A2
    Function 00F3A5DC Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 f3a5dc-f3a656 79 f3a65b-f3a667 75->79 80 f3a658 75->80 81 f3a669 79->81 82 f3a66c-f3a675 79->82 80->79 81->82 83 f3a677-f3a69b CreateFileW 82->83 84 f3a6c6-f3a6cb 82->84 87 f3a6cd-f3a6d2 83->87 88 f3a69d-f3a6c3 83->88 84->83 87->88
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F3A67D
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 668bc1d8ec9ba994424b0e8ade868f69630d00b9ee007dc59cd4479fb6cfbab0
    • Instruction ID: 952418ff13fb94f971c4321e10200e784ac007a45b5a6bc186de1eca236bd35e
    • Opcode Fuzzy Hash: 668bc1d8ec9ba994424b0e8ade868f69630d00b9ee007dc59cd4479fb6cfbab0
    • Instruction Fuzzy Hash: F6318DB1505340AFE721CF26DD85F66BBE8EF09224F08849EE9858B252D375E809DB71
    Function 00F3A120 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 91 f3a120-f3a1f3 FindNextFileW
    APIs
    • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F3A1C2
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileFindNext
    • String ID:
    • API String ID: 2029273394-0
    • Opcode ID: 185f11aed542ab05f577b638e9c7817e0fb85bcfb11ea1322195030abab4122f
    • Instruction ID: 7381727de33cb0f634b74dbddcfaee9c616f887ba2cebce2e97212f501cc159c
    • Opcode Fuzzy Hash: 185f11aed542ab05f577b638e9c7817e0fb85bcfb11ea1322195030abab4122f
    • Instruction Fuzzy Hash: 4821A37150D3C06FD3128B258C51BA2BFB4EF47610F0945DBD8849F593D279A919C7B2
    Function 00F3A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 96 f3a370-f3a3cf 99 f3a3d1 96->99 100 f3a3d4-f3a3dd 96->100 99->100 101 f3a3e2-f3a3e8 100->101 102 f3a3df 100->102 103 f3a3ea 101->103 104 f3a3ed-f3a404 101->104 102->101 103->104 106 f3a406-f3a419 RegQueryValueExW 104->106 107 f3a43b-f3a440 104->107 108 f3a442-f3a447 106->108 109 f3a41b-f3a438 106->109 107->106 108->109
    APIs
    • RegQueryValueExW.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A40C
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: QueryValue
    • String ID:
    • API String ID: 3660427363-0
    • Opcode ID: 96ee56756ce35f45749b1526543ffa711a96ff9357085089b49b7057b2fae989
    • Instruction ID: e97ee90663ce9b291a14aea630ef050430bcaf36b050c441a00387e3978e6bf0
    • Opcode Fuzzy Hash: 96ee56756ce35f45749b1526543ffa711a96ff9357085089b49b7057b2fae989
    • Instruction Fuzzy Hash: BF217E75504740AFD721CB16CC84F62BBF8EF05720F08849AE985CB252D364E908CB62
    Function 00F3B276 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 126 f3b276-f3b2eb 130 f3b343-f3b348 126->130 131 f3b2ed-f3b2f5 DuplicateHandle 126->131 130->131 132 f3b2fb-f3b30d 131->132 134 f3b34a-f3b34f 132->134 135 f3b30f-f3b340 132->135 134->135
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F3B2F3
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 5ef616c8f46821392035e5c7c7d7b67f34f2ad6df6e542379d9970715239a69e
    • Instruction ID: 03815a30f142582ed7c5ff825c681a2564bb9aa0d1793e8e6e47e9af5604a312
    • Opcode Fuzzy Hash: 5ef616c8f46821392035e5c7c7d7b67f34f2ad6df6e542379d9970715239a69e
    • Instruction Fuzzy Hash: 6A21B072500204AFEB219F65DC45FABBBACEF08324F04886AEA45CB155D378A5089BA1
    Function 00F3AD2A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 f3ad2a-f3ad9f 117 f3ada1-f3ada9 DuplicateHandle 113->117 118 f3adf7-f3adfc 113->118 120 f3adaf-f3adc1 117->120 118->117 121 f3adc3-f3adf4 120->121 122 f3adfe-f3ae03 120->122 122->121
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F3ADA7
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 3de9ebf5171274fd240711f6b8041a0818c4a1045123aed8ca52859f2d5dd3bd
    • Instruction ID: 8b5b19a8fc5328becef0f4ebfc73f2690df576b93308b1a8e4bfd9c9692d63a9
    • Opcode Fuzzy Hash: 3de9ebf5171274fd240711f6b8041a0818c4a1045123aed8ca52859f2d5dd3bd
    • Instruction Fuzzy Hash: 9821F472500204AFEB219F65CC45FABFBECEF04324F04842AEA85CB555D774A408DBA1
    Function 00F3A850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 139 f3a850-f3a8d6 143 f3a91a-f3a91f 139->143 144 f3a8d8-f3a8f8 SetFilePointer 139->144 143->144 147 f3a921-f3a926 144->147 148 f3a8fa-f3a917 144->148 147->148
    APIs
    • SetFilePointer.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A8DE
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 7b9c6be9e7f6057db23ded3540adf002827fa3324b2d56c0484dbbade1fada4d
    • Instruction ID: b13225456b4c18926be1f234a6e5987b1aa60f2aa78b7be812510b21f538d0a2
    • Opcode Fuzzy Hash: 7b9c6be9e7f6057db23ded3540adf002827fa3324b2d56c0484dbbade1fada4d
    • Instruction Fuzzy Hash: F121D6714093806FE7228B25DC44F62BFB8EF46724F0984DAE984DF152C268A909C7B2
    Function 00F3A933 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 151 f3a933-f3a9b9 155 f3a9bb-f3a9db ReadFile 151->155 156 f3a9fd-f3aa02 151->156 159 f3aa04-f3aa09 155->159 160 f3a9dd-f3a9fa 155->160 156->155 159->160
    APIs
    • ReadFile.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A9C1
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: 93f9fce52406f987616e23f88de1fbe7e9e8254bf03d9ce13cb4071ab86187fe
    • Instruction ID: 18c11ec82e586b1fbdcde574c47d161625fa60d3ebfcd9e135aa4f231833802f
    • Opcode Fuzzy Hash: 93f9fce52406f987616e23f88de1fbe7e9e8254bf03d9ce13cb4071ab86187fe
    • Instruction Fuzzy Hash: D621B571409380AFDB22CF25DC45F56BFB8EF06724F08849AE9859F152C379A508CBB2
    Function 00F3A5FE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 f3a5fe-f3a656 166 f3a65b-f3a667 163->166 167 f3a658 163->167 168 f3a669 166->168 169 f3a66c-f3a675 166->169 167->166 168->169 170 f3a677-f3a67f CreateFileW 169->170 171 f3a6c6-f3a6cb 169->171 173 f3a685-f3a69b 170->173 171->170 174 f3a6cd-f3a6d2 173->174 175 f3a69d-f3a6c3 173->175 174->175
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F3A67D
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: be11832ef2d2575e79a2bf310f160695a182ffea4665553eaa840e7462f4e981
    • Instruction ID: 1de78e141ce11c282e4c57acbdd0289184068184274025739620e9eafb06895e
    • Opcode Fuzzy Hash: be11832ef2d2575e79a2bf310f160695a182ffea4665553eaa840e7462f4e981
    • Instruction Fuzzy Hash: B221A471500200AFE721DF26DD86F66FBE8EF08324F08846DE9858B251D375E404DB72
    Function 00F3A78F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 178 f3a78f-f3a80d 182 f3a842-f3a847 178->182 183 f3a80f-f3a822 GetFileType 178->183 182->183 184 f3a824-f3a841 183->184 185 f3a849-f3a84e 183->185 185->184
    APIs
    • GetFileType.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A815
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: f5ec6c9ea2df447bcb4516fe3d61835501a2d449cec31c06c59d159bbbbe8445
    • Instruction ID: bd8d2bbf8f01684b10ce554dcbe7be8f01b32dbb33b9f711450f1efa4ec75f0f
    • Opcode Fuzzy Hash: f5ec6c9ea2df447bcb4516fe3d61835501a2d449cec31c06c59d159bbbbe8445
    • Instruction Fuzzy Hash: 3621EBB54093806FE7128B21DC41FA2BFBCEF57724F0880DBE9858B153D268A909D772
    Function 00F3AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 189 f3aa0b-f3aa6a 191 f3aa6f-f3aa75 189->191 192 f3aa6c 189->192 193 f3aa77 191->193 194 f3aa7a-f3aa83 191->194 192->191 193->194 195 f3aa85-f3aaa5 CreateDirectoryW 194->195 196 f3aac4-f3aac9 194->196 199 f3aaa7-f3aac3 195->199 200 f3aacb-f3aad0 195->200 196->195 200->199
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 00F3AA8B
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 01152edf327e6c0b85a0947f55ad5f2311ecc86fa5c56410158e4dcdc09d400c
    • Instruction ID: b00187342dc179b34e85b152db2bec8492e58b07a26912f91a63a486536a13ac
    • Opcode Fuzzy Hash: 01152edf327e6c0b85a0947f55ad5f2311ecc86fa5c56410158e4dcdc09d400c
    • Instruction Fuzzy Hash: 812183765093C09FDB12CB29DC55B92BFE8EF06324F0D84EAE885CB153D265D909CB61
    Function 00F3A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A40C
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: QueryValue
    • String ID:
    • API String ID: 3660427363-0
    • Opcode ID: d5d8c43c739b6a3410022c757b63f9b0b9434532947b454d2cc5525928b039ab
    • Instruction ID: 195bdeffb75c8a09b1e5e5e46073c3127709df5beef5285be55bf6ad33c4a91a
    • Opcode Fuzzy Hash: d5d8c43c739b6a3410022c757b63f9b0b9434532947b454d2cc5525928b039ab
    • Instruction Fuzzy Hash: E221A5755006049FE720CF16CC85F66F7ECEF14730F08845AE945CB251D7A4E905DAB2
    Function 00F3A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A9C1
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: 6720544f4d1fd97a59c8a14ce69f21ba4ca34c927d5ee7cc40b7d8751ce47d2d
    • Instruction ID: c53375de4b9ee638c39f405c9bd13ca77f71087b80ae546149f7d2f824285726
    • Opcode Fuzzy Hash: 6720544f4d1fd97a59c8a14ce69f21ba4ca34c927d5ee7cc40b7d8751ce47d2d
    • Instruction Fuzzy Hash: DA112772500200AFEB21CF26DC41F66FBE8EF14734F08845AEE459B145C378A504DBB2
    Function 00F3A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A8DE
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 1378944d40d33a65aa45c297ce88117ce2a84919cd9d27f4544a315987ded71b
    • Instruction ID: 6638afb96a1eaf22e9ce37ee962fa54086148bc6d1b214961599f87b42dcde81
    • Opcode Fuzzy Hash: 1378944d40d33a65aa45c297ce88117ce2a84919cd9d27f4544a315987ded71b
    • Instruction Fuzzy Hash: 5511E771500200AFEB21DF65DC45F66F7E8EF54734F18845AEE459B145C378A504DBB2
    Function 00F3A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 00F3A30C
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 6e9e703bf06e4ba1e71c593ef1f53962337a473a938e3caf19500d22112fcee6
    • Instruction ID: f1e32bd6a4f39419377136cdf6a11b0e0399b4e9b0bc02c4fd663828563df5d8
    • Opcode Fuzzy Hash: 6e9e703bf06e4ba1e71c593ef1f53962337a473a938e3caf19500d22112fcee6
    • Instruction Fuzzy Hash: F81191758093C09FD7228B26DC54A52BFB4EF17324F0D80DBDD858F163D269A808CB62
    Function 00F3A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNELBASE(?,00000E24,04EE05FA,00000000,00000000,00000000,00000000), ref: 00F3A815
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 81eff4749ec73d704eb531ac008b9952219577d17e4c545e7e12749cc556ff54
    • Instruction ID: 204bc2867132e2bdce39bc9e3a14d74d0fb8a49f6615ba0b013cac27679939f7
    • Opcode Fuzzy Hash: 81eff4749ec73d704eb531ac008b9952219577d17e4c545e7e12749cc556ff54
    • Instruction Fuzzy Hash: 4801D675504200AFE720DB16DC85F66F7D8DF54734F18C05AEE458B245D378A905CAF6
    Function 00F3AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 00F3AA8B
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 39020fc0779a518200c1290329dc823dd4bc1ff4a606f238057ffc28d12983c4
    • Instruction ID: 90bc0559fecef877c8c6145fadd46a9480f9cc72254e619f83dd168b2c0746fe
    • Opcode Fuzzy Hash: 39020fc0779a518200c1290329dc823dd4bc1ff4a606f238057ffc28d12983c4
    • Instruction Fuzzy Hash: 5E115276A042409FEB10CF2AD985B66BBD8EF05730F08C4AADD45CB251E279E904DB62
    Function 00F3B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNELBASE(?), ref: 00F3B208
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: b4cfb84cbb04a60f0684575166387e749a5e3408e2f11a14711b2277f7e11f7f
    • Instruction ID: 6de059d35944282ae7b519783bf0ad91c47ae713224ebc69749065485c89610b
    • Opcode Fuzzy Hash: b4cfb84cbb04a60f0684575166387e749a5e3408e2f11a14711b2277f7e11f7f
    • Instruction Fuzzy Hash: 751173715093C09FD712CF15DC54B56BFA4DF56224F0884DADD858F252D275A908CB62
    Function 00F3AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CloseFind
    • String ID:
    • API String ID: 1863332320-0
    • Opcode ID: dcfcf3ee473b103eca9017788b3c9167ede1ebed694b2dace78fd8b8ad146171
    • Instruction ID: 66b4aa53b6df121de0ea705b12c9473b70d53d7ff580937d831ef6a2f9a135eb
    • Opcode Fuzzy Hash: dcfcf3ee473b103eca9017788b3c9167ede1ebed694b2dace78fd8b8ad146171
    • Instruction Fuzzy Hash: AD11A0B55093C09FD7168B25DC85B52BFF4EF06220F0D84DAED858B262D379A808DB62
    Function 00F3A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
    Download Yara Rule
    APIs
    • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F3A1C2
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: FileFindNext
    • String ID:
    • API String ID: 2029273394-0
    • Opcode ID: 82b126f1cd518580131446d24e6704c00a50796f03445932cab6d896720506ef
    • Instruction ID: ce17a4b481d07c9cb689af23dffdbd17b6b8f79e05d9c695a3730ebbc33ac983
    • Opcode Fuzzy Hash: 82b126f1cd518580131446d24e6704c00a50796f03445932cab6d896720506ef
    • Instruction Fuzzy Hash: 2701B171A00200ABD310DF1ACC46B76FBE8EB88A20F14816AEC089B645D775B915CBE2
    Function 00F3ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F3AC36
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: a852c5a8bae54e006ac69f27b0d1cadd1698a22588ea46e9bef475bbe1f7d9ca
    • Instruction ID: 483674efbb80254fc3b4c5ec791d6c17d352e727bd2f8316f6e4ab90c4607410
    • Opcode Fuzzy Hash: a852c5a8bae54e006ac69f27b0d1cadd1698a22588ea46e9bef475bbe1f7d9ca
    • Instruction Fuzzy Hash: D501B171A00200ABD310DF1ACC46B76FBE8FB88B20F14812AEC489B645D775B915CBE2
    Function 00F3AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CloseFind
    • String ID:
    • API String ID: 1863332320-0
    • Opcode ID: 768ff971fe673736dba0051cd20567d4df78b315765d2d7736ad0d717faa402f
    • Instruction ID: 7556314eaad6dcf087cc8c8c4793108b72762c0f02080e8baaa280bc954745ff
    • Opcode Fuzzy Hash: 768ff971fe673736dba0051cd20567d4df78b315765d2d7736ad0d717faa402f
    • Instruction Fuzzy Hash: 3F01D1B59002409FDB148F26D885762FBD4EF04335F08C0AADD468B252D3B9E848EEA2
    Function 00F3A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 00F3A30C
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: c99ba7cdd2eb35550ff93f442f694420c006034c7569a455a9627d317f17390a
    • Instruction ID: 78da919eaf4dff61f9bee7f2ba663af93f284b2b118b2d5f29415157e3879084
    • Opcode Fuzzy Hash: c99ba7cdd2eb35550ff93f442f694420c006034c7569a455a9627d317f17390a
    • Instruction Fuzzy Hash: 89F0AF759042409FDB20DF16D885B61FBE4EF04735F08C09ADD494B256D3BAA808DEA2
    Function 00F3A6D4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?), ref: 00F3A748
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 66006b96282742880526f7e7cceb880a5ffef88c5156163520aeeb4989b3fba8
    • Instruction ID: 465d04c73e1e8a4b65c49713d7e804d7353a2cd3ee62ed9a693dccd863278f3d
    • Opcode Fuzzy Hash: 66006b96282742880526f7e7cceb880a5ffef88c5156163520aeeb4989b3fba8
    • Instruction Fuzzy Hash: BC2192B59097C05FD7128B25DC95792BFB8EF07324F0980DADC858F5A3D2649908CB72
    Function 00F3A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?), ref: 00F3A748
    Memory Dump Source
    • Source File: 00000007.00000002.2030437684.0000000000F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f3a000_unarchiver.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 63ba16a728b54ea9b0d6ac74b51da56f86bb51bbd6942d2f49c35578d5f90c83
    • Instruction ID: 06a6b231e1af42be173542e9eefe0cb6cff890883aacd1e2825c432cf81568e7
    • Opcode Fuzzy Hash: 63ba16a728b54ea9b0d6ac74b51da56f86bb51bbd6942d2f49c35578d5f90c83
    • Instruction Fuzzy Hash: B901F275A002408FDB10CF26D886766FBE8EF04330F08C4AADC49CF252D279E904DEA2
    Function 012B02C0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b52dd4616932e1326ddbbc635bd10b838e2ba13979b4a182b70ef918fb08bcfe
    • Instruction ID: 6001f3eb9776668bd53676cb84b1280d0dbd80af8228ef23bd51efa026c66815
    • Opcode Fuzzy Hash: b52dd4616932e1326ddbbc635bd10b838e2ba13979b4a182b70ef918fb08bcfe
    • Instruction Fuzzy Hash: 9EB19238621114CFC769EB68E988B9E7BB2FFA9344B108529EE06D7359DF309C40DB50
    Function 012B0798 Relevance: .3, Instructions: 284COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b5192ca55eb2e4840751bad8a45e03efd617fc94cfdf4fa2f644be323c712f8a
    • Instruction ID: 91653cfea3fa2d27c333f76065649dce6e56e655d3fb613a2b64778f86b7346f
    • Opcode Fuzzy Hash: b5192ca55eb2e4840751bad8a45e03efd617fc94cfdf4fa2f644be323c712f8a
    • Instruction Fuzzy Hash: F0A1CF34B102058BDB15AB78D895BBEB7B3EF98308F148429EA06D7395DF798C41CB91
    Function 012B0B8F Relevance: .1, Instructions: 65COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a41926452be104400ea5b7afff2ba1d15668feb369144ac512f0f277167c689f
    • Instruction ID: 73347803379c5496b7161c98a3598a2419efddaae32837bf15a316a2e31d6156
    • Opcode Fuzzy Hash: a41926452be104400ea5b7afff2ba1d15668feb369144ac512f0f277167c689f
    • Instruction Fuzzy Hash: A511E935A101185FCF149BB4D848DEF7BF2EF88204B06447AE606D7276DF319C568780
    Function 012B0BA0 Relevance: .1, Instructions: 60COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1151c0e440780202bd78365bc5dcbd4259e5a056155ae6c27baad646a4a196b9
    • Instruction ID: 51f29dc038ec4392386d7e1374c4f255f38fc78278dd8bb71016626b811ad327
    • Opcode Fuzzy Hash: 1151c0e440780202bd78365bc5dcbd4259e5a056155ae6c27baad646a4a196b9
    • Instruction Fuzzy Hash: C4119131B20118AFCB549BB4D948DEE7BF6FF88214B06447AE606E7235EF329C558790
    Function 010F0809 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030947891.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_10f0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f7785fd7624cfe446a46666900105e6a675357aec2968f9ee8fdf4920363446c
    • Instruction ID: bf5ad33c7fd6a7a1fac733e53ab84416914785e52a05a318bf53aebac38de84c
    • Opcode Fuzzy Hash: f7785fd7624cfe446a46666900105e6a675357aec2968f9ee8fdf4920363446c
    • Instruction Fuzzy Hash: 7A0184B24093446FD301DB15AC45D56BBE8EB86620F08C4AEEC4987246D37AA9098BA2
    Function 010F05E0 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030947891.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_10f0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9176d07fcf6fd0fc9cfc31029d613c87308b541c1766b411a44dd45e642495c8
    • Instruction ID: 1464ccbc5d2154a7f8b86bf82986331e57d961f73aab7b7663408c1d2fbb6467
    • Opcode Fuzzy Hash: 9176d07fcf6fd0fc9cfc31029d613c87308b541c1766b411a44dd45e642495c8
    • Instruction Fuzzy Hash: 64018BB55093805FD711CF16AC45862FFF8EB46620709849FEC4987612D279B918CBB2
    Function 010F082E Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030947891.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_10f0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 37221931b8e261cd32f989bbc2af37c535cba44805d13b4106a74e026fd0507c
    • Instruction ID: dfc88144e93b91d726120432c2edaeb0f49f6ec1d031bf0930851566ce43bb96
    • Opcode Fuzzy Hash: 37221931b8e261cd32f989bbc2af37c535cba44805d13b4106a74e026fd0507c
    • Instruction Fuzzy Hash: 1FF082B29453046B9240DF15ED46866F7ECEFC5621F08C56AEC098B305E37ABD154AE2
    Function 010F0606 Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030947891.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_10f0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 00293d6000dd00730a7977b48a859bbca3546e1f70a1cc828daa8c36afa59f45
    • Instruction ID: f5c049f33de697baadbd7f762d9cccc0e71e5c6ab6f50607705f07bcaf4830a5
    • Opcode Fuzzy Hash: 00293d6000dd00730a7977b48a859bbca3546e1f70a1cc828daa8c36afa59f45
    • Instruction Fuzzy Hash: D6E092B6A406004B9750CF0BEC42462F7D8EB84630708C07FDC0E8B701D679B518CEA6
    Function 012B0C50 Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c14c5a9d8596bff02bcf84c640a36af406b717648ca844f9ce48a8c031786293
    • Instruction ID: 45f138796f86491d214cb2cf10235f1eb41d4aeda64966da7c394eefc07721ed
    • Opcode Fuzzy Hash: c14c5a9d8596bff02bcf84c640a36af406b717648ca844f9ce48a8c031786293
    • Instruction Fuzzy Hash: DEE0DF31F182641FCB58DBF94894ABE3FA2DB85154F8646BEC408C7242EE358D828381
    Function 012B0C60 Relevance: .0, Instructions: 22COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 286584cf9bfa0b02b05e4ea0d2fe051f028a37c29a0d76546b4e91a1822c36ae
    • Instruction ID: 5de2a8d18bf774e50e33fc586fd62bad25d41d80051224684a1d9dffa4ed48d2
    • Opcode Fuzzy Hash: 286584cf9bfa0b02b05e4ea0d2fe051f028a37c29a0d76546b4e91a1822c36ae
    • Instruction Fuzzy Hash: BED0C231F002282B8B44DBF858445AF7EEA9B84154B42407EC008D3301EE319C818780
    Function 012B0DD1 Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b10bffe80f96c9d6cccd89c830124f73e18dd4e3c4a17ef77452d63184436a31
    • Instruction ID: 536aa517971a3a3ebabc1aebb1d1aa03b6d054eba487e541d3e112138e824cd4
    • Opcode Fuzzy Hash: b10bffe80f96c9d6cccd89c830124f73e18dd4e3c4a17ef77452d63184436a31
    • Instruction Fuzzy Hash: 7BE0C22814E2804FC717D7748865EA93F715F91204F4AC19AD848CB1A7D670CC44C741
    Function 00F323F4 Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030415841.0000000000F32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F32000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f32000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c7f09f8dc9856b2d20e31e86325cadff0224739b298151f71308f60a2526eba4
    • Instruction ID: 379ba6cb977476506fd4c60d38c37b83908503db9437b37aea1df76b896cf7ad
    • Opcode Fuzzy Hash: c7f09f8dc9856b2d20e31e86325cadff0224739b298151f71308f60a2526eba4
    • Instruction Fuzzy Hash: 10D05E796056814FD716DA1CC1A5F9537D4AB51724F4A44FDA8008B763C768E981E640
    Function 00F323BC Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2030415841.0000000000F32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F32000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_f32000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7d27990d887beafe2201eb226bf81fb0aa73f45107670dd41ceaf74f1f6f961d
    • Instruction ID: 6f8e6dcb5be0deb114881fd132460f49069c63fd590df6d093f4190442dfba15
    • Opcode Fuzzy Hash: 7d27990d887beafe2201eb226bf81fb0aa73f45107670dd41ceaf74f1f6f961d
    • Instruction Fuzzy Hash: B2D05E356402814BC729DA1CC2D4F5973D4AB40B25F0644ECAC108B362C7A8D8C0DA40
    Function 012B0DE0 Relevance: .0, Instructions: 12COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.2031025352.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_12b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3b4aa8d9f035e5cfd4c8bcc8562dbdf6af1f5dce977927ff1dae4f7eec2f6a80
    • Instruction ID: 3e2e1aad1b8a5abb6211a92ada8855b97ac55edf67c8ec4ac061e96a091d749f
    • Opcode Fuzzy Hash: 3b4aa8d9f035e5cfd4c8bcc8562dbdf6af1f5dce977927ff1dae4f7eec2f6a80
    • Instruction Fuzzy Hash: E7C012302202048BD705A768D559E7A77A65BD0704F85C064A5084B255DF70EC80C684